search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
154 stars 47 forks source link

ECryptoKeyIdentifierType.SKI_KEY_IDENTIFIER in BDEW profile for encryption not generating <X509SKI> #168

Closed problemzebra2 closed 1 year ago

problemzebra2 commented 1 year ago

As mentioned in #167 the BDEW profile states that X509SKI must be used to reference the security token.

In #167 cryptParams ().setKeyIdentifierType (...); is now using the supposedly correct value but Phase 4 still generates XML like this:

grafik

But I think the profile defines that <X509SKI> must be used with encoded subject key identifier from the certificate extension (2.5.29.14). This is also the assumption of many market participants.

Also the example XML in https://www.bundesnetzagentur.de/DE/Beschlusskammern/1_GZ/BK6-GZ/2021/BK6-21-282/Mitteilung02/AS4%20Profil.pdf?__blob=publicationFile&v=1 seems to be not matching the textual description (pages 14/15).

Is there a way that ECryptoKeyIdentifierType.SKI_KEY_IDENTIFIER generates <X509SKI>?

problemzebra2 commented 1 year ago

The document linked above is an older version. The current one has a correct XML example an can be found here: https://www.edi-energy.de/index.php?id=38&tx_bdew_bdew%5Buid%5D=1945&tx_bdew_bdew%5Baction%5D=download&tx_bdew_bdew%5Bcontroller%5D=Dokument&cHash=9979de244bba1466cc503146e765f2c3 (the error was fixed in May by the BDEW)

grafik

phax commented 1 year ago

@sopgreg are you doing the SKI header on your own, or do you do it with the help of WSS4J?

sopgreg commented 1 year ago

You're right, we missed to close this one after fixing it in our implementation. Thanks for the reminder.